Undetected for 6 years, sophisticated malware can spy on PCs through your router

A nation-state developed a piece of malware so powerful that it can steal everything that’s happening on a computer without even being install on the target device itself. Instead, it resides on a router. It’s called Slingshot and it was recently discovered by Kaspersky Labs. Incredibly, the malware is so powerful and sophisticated that it hid in routers for six years before finally being spotted.

That’s likely why a nation-state is behind the attack. And while the infected routers that have been identified will be fixed via software updates, there’s no telling how many machines may have been affected.

According to Ars Technica, the sophistication of Slingshot rivals similarly advanced malware apps, including Regin, a backdoor that infected Belgian telco Belgacom and other targets for years, and Project Sauron, a separate malware that also remained hidden for years.

The researchers don’t know precisely how Slingshot infected all of its targets, but in some cases the malicious app was planted inside MikroTik routers that Slingshot operators got access to.

“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the researchers noted in their report.

After a router is infected, the malware would load a couple of “huge and powerful” modules on the target’s computer. That includes a kernel-mode module called Cahnadr, and a user-mode module called GollumApp. The two are then able to support each other to gather data, and then send it out to the attacker. The malware was probably used for spying purposes, as it was able to log desktop activity and clipboard data, as well as collect screenshots, keyboard data, network data, passwords, and data from USB devices.

The infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania. Targets included individuals as well as government organizations and institutions. Kaspersky did not identify the malware’s creators but said that debug messages were written in perfect English, suggesting developers spoke that language.

One incredibly sophisticated thing the malware did to conceal its existence was to use an encrypted virtual file system located in an unused part of the hard drive. The malware also encrypted all text strings in various modules directly to bypass security products. It even shut down certain components when forensic tools were in use on the device.

“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation,” company researchers wrote. “Its infection vector is remarkable—and, to the best of our knowledge, unique.”